exploiut-db:
8 Y# k. S; m' A: N/ v* L
" p' I' R& u8 Z1 A& dFCKEditor ASP Version 2.6.8 File Upload Protection Bypass" ?9 }0 v/ S* ]$ I0 G, O/ Q' F0 v* V
G' h6 v" Z9 R- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
3 M6 `, \( ^* h4 Z h- Credit goes to: Mostafa Azizi, Soroush Dalili( e( p% o" r; j5 x
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
# }, D6 e" T: o& s b0 R+ g- Description:
4 }1 D; X/ `' z+ h0 HThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is
7 ]! C3 k. ?3 D9 t: M9 U1 idealing with the duplicate files. As a result, it is possible to bypass- u; f6 O/ c0 g
the protection and upload a file with any extension.
1 d) U( P5 U. Z$ z- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/, h0 Y5 }8 h9 Z' s8 E) K
- Solution: Please check the provided reference or the vendor website.2 @8 F! B9 ]0 D- U: a# F) g
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
3 h/ l4 q$ F. P"1 f/ y+ g0 V! x; b
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:: d% w5 l$ ^9 u6 z0 g
In “config.asp”, wherever you have:- ^5 g" N+ c; }* i- D3 F% e
ConfigAllowedExtensions.Add “File”,”Extensions Here”9 ~" n9 l' R* b5 k
Change it to:/ l0 }4 A" a, l
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”$ c) `) ^1 }7 h% H1 B
1 g: s2 B7 U% [ h. F
6 W% K, F6 R% v0 {2 e/ T/ b
; q0 l1 Q9 X2 [/ n, E7 { " R5 l6 H, k5 A3 m' h% L3 W
8 y6 p1 F5 s! _1 ]( ^( k7 w5 gphp测试无效
+ P; K& z1 s$ ^ E% h5 [; rasp/aspx测试成功:
, ~1 x d8 t1 p0 Z# V来到/FCKeditor/editor/filemanager/connectors/test.html' Q. j7 u/ f. S% K6 L6 J4 h- ^$ ~$ J. |
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt' J6 A! K; v& A% w* W
! D/ k$ R7 k( G* I
burpsuite上传包并修改,repeater6 }7 N; ?6 i% {' ~: Q
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp R8 h0 n1 X$ J" I, P1 | U
# ~! K5 z; A* @如图,webshell为:http://localhost/userfiles/file/asd(1).asp9 i+ I" P3 U- t. a
9 e+ g% |; H+ U4 ~ |
发表于 2012-12-10 10:18:50
收藏
支持
反对